The file residing at C:\ColdFusion9\runtime\servers\coldfusion\SERVER-INF\temp\wwwroot-tmp \ is not a virus. The name is alphanumeric and is a temp file.
To Block /CFIDE requests
Even if you do not have a virtual directory specified for /CFIDE on your IIS sites, the ColdFusion IIS connector will still pass through requests for /CFIDE/administrator/index.cfm. Therefore, you must explicitly block /CFIDE requests.
IIS 7 has powerful request filtering capabilities that can enhance the security of your web server. Make sure that the Request Filtering feature is installed. Create a global Request Filtering rule for all sites on the server by editing the applicationHost.config file, which is located in the c:\windows\system32\inetsrv\config directory by default. Before editing the file, make a backup of this file.Adobe ColdFusion 9 Server Lockdown Guide 10
This file is an XML configuration file, so all changes must result in a valid XML document. Locate the <requestFiltering> tag, which is located in the <configuration> <system.webServer> <security> <requestFiltering> hierarchy.
Add a child tag to <requestFiltering> named <denyUrlSequences> with the following information:
<add sequence=”/CFIDE/administrator” />
If there is already a <denyUrlSequences> tag, append the <add sequence> tags to the existing tag.
Next , you must allow access to the /CFIDE/administrator URI in the cfadmin website. Create a file called web.config in the web root with the following content:
The above configuration overrides the global request filtering and removes the deny rule for the URI /CFIDE/administrator.
Did you ever find a solution to your issue? I have locked down CFIDE but every so often, my virus protection detects and deletes 10-30 files being uploaded to the ColdFusion9\runtime\servers\coldfusion\SERVER-INF\temp\wwwroot-tmp. I am unable to find any POST commands in the IIS logs to determine which site on this shared server could be allowing the upload. We are running Windows 2008R2, IIS 7.5, CF 9,0,1,274733 hotfix 4.
you can look at this thread http://forums.adobe.com/message/5443464#5443464 the post in position 8 and on Charlie Arehart's Blog at http://www.carehart.org/blog/client/index.cfm/2006/5/7/cfform_not_doin g_upload for understanding how it is possible.
The situation is that if you have a form with an input type file, when you submit the form this file is uploaded to the folder ColdFusion9\runtime\servers\coldfusion\SERVER-INF\temp\wwwroot-tmp even though there is not a cffile in the response page. However, if the file is in format .tmp it should not be dangerous.
To limit these uploads, I realized that in the logs of iis, in the same time that the antivirus blocks the file, there is a request for the page http://myserverip/cfide/h.cfm. When you see that request, block the ip address who made it. In my case it's always the same group of 2-3 ip to make this kind of request.